Transcription

1 A White Paper by Bloor Research Author : Nigel Stanley Publish date : November 2007 This document is Copyright 2007 Bloor Research

2 Some traffic is now far too important to encrypt solely at an organisation s gateway to the outside world Nigel Stanley

3 page 1 Summary As is now fully embedded as a business tool and is being used to transfer critical, sensitive data, it is becoming increasingly important to provide a secure, robust and manageable encryption service for users. encryption cannot be addressed as a standalone proposition. It must be considered as part of an organisation-wide encryption service, providing security for other applications and line of business solutions. Some traffic is now far too important to encrypt solely at an organisation s gateway to the outside world. The rise of the inside threat means that all organisations need to consider who can access internal messages and ensure that this risk is mitigated, if appropriate, from sender through to recipient. A mature, blended approach to encryption that encompasses an intelligent analysis of the risks to data and the associated data value will enable organisations to implement a cost effective, robust and reliable solution. encryption should be of strategic concern to businesses given the possible value of data contained in many messages. Appropriate levels of encryption should be applied intelligently. now mainstream and mission critical For any sizeable organisation is probably the top, mission critical application used by the company. Of course customer database systems, finance applications and product design systems are important but it can be legitimately held that is the glue that holds an organisation together and provides major support for critical processes with suppliers, partners and customers. With this ubiquitous and important nature comes the responsibility of ensuring that messages sent and received via an system remain secure at all times. Users are not going to think about the sensitivity of their message before they send it; rather technology, enabled and controlled by policies, needs to come to their rescue and ensure that messages are appropriately secured. It is very rare for an organisation to mandate less security in its IT systems. In fact the relentless march of new threats places pressure on us all to increase our levels of security to ensure we can match new and emerging attacks. is one of the most potent business tools that we have, but also one of the most vulnerable systems for attack. The volume of organisational smarts that can travel out of the virtual front door via can be staggering. Quotes, legal information, contracts, customer data and just about every type of document you can think of will be transported via . Due to the prevalence of it must be considered as a top priority in any corporate security and encryption strategy. Implementing firewalls, intrusion prevention and hygiene devices is fine on the one hand, but if confidential traffic is in a plain, unencrypted format there will exist a fundamental flaw in an organisation s security strategy. Reputational risk Many CEOs see their role as keeping their corporations out of the headlines of the Wall Street Journal or Financial Times for anything other than good reasons. Building a brand, with an associated reputation, takes years and can be destroyed in days following allegations of inappropriate behaviour which can often include data losses facilitated by insecure, inappropriate or vindictive messages. In fact an organisation can be one away from significant if not terminal damage. Reputational risk is now more likely following the enactment of various corporate behaviour laws such as Sarbanes Oxley, the Payment Card Industry Data Security Standard and the EU s Data Privacy Directive all of which place responsibility, in different measures, on corporate executives. In addition, over 30 states in the US have enacted Breach of Information Legislation that forces organisations and agencies to disclose security breaches involving personal information, and a federal law is being actively discussed. Internationally, countries are drafting similar provisions to protect consumers and the EU is likely to see legislation by 2009.

4 page 2 As well as attracting reputational risk there is a direct requirement, in many instances, for organisations to compensate users for subsequent financial loss due to a breach. Research from the Ponemon Institute showed a breach to cost $182 per record in sees a rise to $197 per record with the increase attributable to increasing legal costs. encryption and a wider security strategy encryption should never be considered in isolation from a broader security strategy that touches all parts of an organisation and protects data wherever it goes. Fundamental to this security strategy must be the issue of encryption and how data, in any of its forms, can be secured from prying eyes according to an organisation s overall data protection strategy. Historically encryption had been perceived as difficult and costly to implement, due in part to the issue of key management and difficulties with administration. Creating, authenticating, distributing and recovering public and private keys was a time consuming task and placed a burden on the IT department. Policy decisions needed to be made with regard to how keys were safely distributed, refreshed or placed into secure storage had decryption been required. Additionally, placing demands on users to go through more steps to encrypt messages or deviate from their standard working methods meant that encryption was patchy at best, and non-existent at worst. Wider issues, such as departmental politics, need to be addressed, as an organisation has to be aware of how to prevent pockets of unrecoverable, encrypted data appearing across a network. Robust key management and a focus on an achievable policy are critical in preventing silos of unrecoverable data. Point solution or strategic approach? There are many IT security solutions that perform the role of a point solution; that is, they solve a very particular security issue. Some organisations have a strategy of adopting best of breed solutions, for example the best firewall, the best intrusion prevention system and the best database security tool. Whilst this approach will deliver very good point solutions, orchestrating these applications to work coherently together can often be almost impossible as they may be based on different standards, technologies, or incompatible management interfaces. This not only increases the time and cost of deploying and maintaining technology but means valuable IT staff and resources could have been used on other projects. An alternate approach would be to adopt a single provider of a solution set, on the basis that the elements will work together and there is one vendor to deal with. In some instances this may result in the adoption of a solution component that is not best of breed, but in many cases the solution is more than adequate and easier manageability makes up for any shortfalls. encryption needs to be considered as part of a broader encryption strategy as the complex issues of, for example, key management, policy creation and reliability can only be properly addressed as part of a strategic approach to encryption for the entire organisation. It is unlikely that a number of point encryption solutions would be successful as management issues would be compounded leading to huge practical problems. Bloor Research believes that for a critical infrastructure service such as encryption, a single vendor solution, from a leading supplier, is the best strategy. Software or appliance based encryption? Appliances encapsulated servers that contain preconfigured hardware and software are, quite rightly, popular in many small and medium sized businesses. The deployment of an appliance can often be as straightforward as placing it into a rack and switching it on, giving us the notion of a FedEx system upgrade. That is, a new system is simply mailed or delivered by van for easy, instant installation. For many security applications this is a valid and useful approach. For larger enterprises with complex multi-site operations, many of which may operate 24x7, appliance-based solutions are generally unable to provide the depth and breadth of effective encryption seen from an enterprise software approach. Issues around scalability, redundancy and practical systems management make a software-based approach to encryption a more suitable choice for large scale organisations. The growth of virtualisation technologies is raising another challenge to appliance vendors as enterprises see the possibility of hosting multiple security systems on preexisting but under-utilised servers, increasing the return on what could be considerable hardware investments. From gateway to gateway When and where should you encrypt your traffic? Is it at the client or is it at the gateway prior to sending to the recipient? Or maybe the encryption is only from the gateway to the recipient client? Or maybe a combination of all of the above is appropriate? Many organisations are happy with the placing of an gateway of some description that encrypts messages as they leave the corporate perimeter. These gateways are often appliances that process s as they leave and enter the organisation. The problem with gateway encryption is that s are still travelling around the organisation unencrypted and in plain text, vulnerable to prying malware or interception prior to being encrypted by the gateway.

5 page 3 Figure 1: traffic is only encrypted once it passes through the gateway In some circumstances, organisations with data deemed to be of low value or not a risk may find gateway encryption appropriate, but those needing a higher level of security based on the type of work they do or value of data they manage will need to look a bit deeper. Why? Threats to an organisation need not always come from an external source, and indeed threats to an organisation s secure data can be just as damaging from internal users who make mistakes. Most businesses and organisations have in place basic security arrangements that enable them to conduct their day to day work. For many this will entail the provision of a relatively safe and protected building for employees to come to work secure in the knowledge that they will be able to leave the premises at the end of the day without either harming themselves or the business. IT security is dealt with in more or less the same way. The business will put together sufficient technologies so that it can undertake its day to day work, with security implemented appropriately. The level of security protection can range from nothing through to complex intrusion prevention and detection systems combined with state of the art firewalls. Unfortunately most of this effort is targeted at keeping the bad people out. For many who are not IT security experts their visualisation of the topic comprises just this lots of barriers and obstacles to prevent unauthorised people from getting in. No one would disagree with this approach, but keeping the bad people out is only half the problem. What if the bad people are already inside your organisation? What about those upset about poor bonuses looking for a quick exit? This type of insider threat is a real and present danger. Just one incident can have material consequences on a business. Most vulnerable to outside interference would be the ubiquitous mobile user with a handheld device. Tour any financial centre and see the thousands of city whiz kids passing data around in form, with goodness knows what data being passed in plain text. Unless these s are secured using a consistent policy as implemented by an organisation s desktop and gateway encryption products before they leave the handheld device, organisations leave a big gap in their security measures. This immediately demonstrates how perimeterless modern enterprises now are, and puts added pressure on messaging security experts to ensure their is as secure as possible. Remember a $300 device could contain data worth $millions to the right individual or organisation. If the lost data contained customer information then an organisation will need to fix the data breach and report the loss to customers at possibly great financial and brand equity expense. Historically, consideration was given to securing traffic based on a departmental need such as HR, legal and executive messages which were deemed to be sensitive. It is the opinion of Bloor Research that this approach is too simplistic as the nature of s generated by those further down the hierarchy can be just as compromising as those created higher up. In this case encryption needs to be considered as a corporate-wide solution.

6 page 4 From end point to end point A more suitable encryption option that offers better coverage for more sensitive data would be to put in place a security technology that requires all messages to be encrypted at the time they are sent from a client any client. That way there would never be insecure traffic as we now have whole journey encryption for each and every being sent. Data Value & Risk to Data Higher Suited to lower risk/value data Partial journey encryption only Does not deal with inside threat issue More scalable Suited to high value and sensitive Mitigates inside threat issue Full journey encryption A challenge with this approach is how to make the encryption seamless to the user asking users to manually encrypt s each time they are sent is a sure fire recipe for wasted investment in security technology. All it takes is a single user not following policy for the investment in technology to be wasted. By using software that integrates into the heart of an system as well as an existing directory structure user intervention is not required and system management made a lot easier. Organisations that deal with legal, financial, medical or any other classically sensitive data should seriously consider the benefits of end point based encryption. Risk vs. data value the blended approach It is apparent that most businesses will adopt a blended approach to their encryption as they balance the value of the data against the cost of ensuring it is protected. By reviewing the type of data being sent, the roles of individuals and the overall encryption strategy, a mixture of no encryption, client-based and gateway-based encryption is the most probable, and sensible, outcome. Implementing an encryption solution If you work in an organisation that handles sensitive data then encryption is a must have. The best model for this encryption is an end point to end point (client to client) basis anything else leaves you subject to a security violation. The implementation of a client to client solution need not be onerous, and you would expect a leading vendor to have a product that would interoperate with your current system providing the tools and infrastructure to enable deployment and management across a desktop estate. Lower No Encryption Figure 2: Approaches to encryption Less key management required Gateway Encryption This solution must also have the capability to reflect organisational security policies in the s being sent; for example picking up keywords, sender details or recipient information and then applying an appropriate level of encryption based on relevant sensitivities. It is important to have strong integration with content scanning and data leakage prevention systems. An client encryption product that is also extensible enough to take part in an enterprise encryption strategy that secures data ranging from USB flash drives through to file servers is a must have, as previously discussed. Throughout, user workflow and productivity must not be impacted with encryption implemented transparently and enforced by policy. Market overview Blended Encryption Encryption Solutions More key management required Endpoint Encryption encryption can be implemented by using a hardware appliance or by software installed on a server or clients such as desktop/laptops and smart phones. An appliance-based approach to encryption may be a valid approach for some small and medium sized organisations with fixed, specific requirements. For larger organisations an appliance-based approach to encryption may not be flexible enough and may become severely limiting in a short period of time. In addition an appliance will only provide encryption services from the gateway onwards it will not address the issue of encrypting internal traffic.

7 page 5 A software based encryption product provides a more flexible and manageable environment for larger organisations. It will also be easier to integrate into a broader IT management infrastructure, especially if the vendor is able to provide enterprise data encryption and the choice of endpoint or gateway level encryption. Well-proven and extensible key management is critical to any solution that is implemented. The ability to quickly and seamlessly issue, recover and manage keys is core to the successful implementation of and other strategic encryption applications deployed today and in the future. Purchasing issues and points to consider A decision will need to be made early on regarding the nature of the encryption solution being evaluated. Tactical purchases are easier to make but are likely to lead on to problems later with poorer management tools and weak scalability. Any savings in the short term will be quickly lost due to increased management and limited functionality. A strategic encryption solution should be considered in most cases. This should be capable of securing traffic from end point to end point and via gateways depending on an organisation s specific risk profile, data value and deployment considerations. Whatever approach is required, the encryption functionality should be one element of a broader encryption strategy for an organisation. The vendor relationship with a provider of encryption services needs to be considered in depth. You will be buying more than a simple encryption product; instead you will be purchasing a strategic element of your overall security strategy. Consideration needs to be given to the make up of a potential vendor, their support infrastructure, fiscal soundness, broader encryption strategy, international reach, road map, focus and history of working with encryption. Together these should give you a belief in the vendor s soundness and fitness for purpose.

8 Bloor Research overview About the author Bloor Research has spent the last decade developing what is recognised as Europe s leading independent IT research organisation. With its core research activities underpinning a range of services, from research and consulting to events and publishing, Bloor Research is committed to turning knowledge into client value across all of its products and engagements. Our objectives are: Save clients time by providing comparison and analysis that is clear and succinct. Update clients expertise, enabling them to have a clear understanding of IT issues and facts and validate existing technology strategies. Bring an independent perspective, minimising the inherent risks of product selection and decision-making. Communicate our visionary perspective of the future of IT. Founded in 1989, Bloor Research is one of the world s leading IT research, analysis and consultancy organisations distributing research and analysis to IT user and vendor organisations throughout the world via online subscriptions, tailored research services and consultancy projects. Nigel Stanley Practice Leader Security Nigel Stanley is a specialist in business technology and IT security. For a number of years Nigel was Technical Director of a leading UK Microsoft partner where he lead a team of consultants and engineers providing secure business IT solutions. This included data warehouses, client server applications and intelligent web based solutions. Many of these solutions required additional security due to their sensitive nature. From 1995 until 2003 Nigel was a Microsoft Regional Director, an advisory role to Microsoft Corporation in Redmond in recognition of his expertise in Microsoft technologies and software development tools. Nigel had previously worked for Microsoft as a systems engineer and product manager specialising in databases and developer technologies. He was active throughout Europe as a leading expert on database design and implementation. Nigel has written three books on database and development technologies including Microsoft.NET. He is working on a number of business-led IT assignments and is an executive board member of a number of privately held companies. He has significant experience in security and related activities and is practice leader for security at Bloor Research.

9 Copyright & disclaimer This document is subject to copyright. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.

White Paper What the ideal cloud-based web security service should provide A White Paper by Bloor Research Author : Fran Howarth Publish date : February 2010 The components required of an effective web

Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

White Paper: Cloud Security Cloud Security Introduction Due to the increase in available bandwidth and technological advances in the area of virtualisation, and the desire of IT managers to provide dynamically

A New Standard in Encrypted Email A discussion on push, pull and transparent delivery By ZixCorp November 2010 2 Email enhances our daily business life. It enables efficient, real-time communication, unites

White Paper The SMB Market is Ready for Data Encryption By Mark Peters January, 2011 This ESG White Paper was commissioned by Tandberg Data and is distributed under license from ESG. 2011, Enterprise Strategy

White Paper For organizations large or small Table of Contents Who Is Reading Your Email? 3 The Three Options Explained 3 Organization-to-organization encryption 3 Secure portal or organization-to-user

Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

White Paper When email archiving is best done in the cloud A White Paper by Bloor Research Author : Fran Howarth Publish date : June 2010 An email archiving service provided in the cloud is a viable alternative

White Paper The benefits of a cloud-based service for web security A White Paper by Bloor Research Author : Fran Howarth Publish date : February 2010 By using a service based in the cloud, protection against

A Comprehensive Plan to Simplify Endpoint Encryption Managing SEDs, BitLocker, and FileVault Together from the Cloud Executive Summary Encryption is an essential component of any information security plan.

V1.4 August 2 Spambrella Email Continuity SaaS Easy to implement, manage and use, Message Continuity is a scalable, reliable and secure service with no set-up fees. Built on a highly reliable and scalable

SORTING OUT YOUR SIEM STRATEGY: FIVE-STEP GUIDE TO TO FULL SECURITY INFORMATION VISIBILITY AND CONTROLLED THREAT MANAGEMENT INTRODUCTION It s your business to know what is happening on your network. Visibility

Email Compliance in 5 Steps Introduction For most businesses, email is a vital communication resource. Used to perform essential business functions, many organizations rely on email to send sensitive confidential

FORENSIC Central and Eastern European Data Theft Survey 2012 kpmg.com/cee KPMG in Central and Eastern Europe Ever had the feeling that your competitors seem to be in the know about your strategic plans

Email Encryption Made Simple For organizations large or small Table of Contents Who Is Reading Your Email?....3 The Three Options Explained....3 Organization-to-organization encryption....3 Secure portal

Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks

How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Securing Endpoints without a Security Expert sponsored by Introduction to Realtime Publishers by Don Jones, Series

White Paper The benefits of a cloud-based email archiving service A White Paper by Bloor Research Author : Fran Howarth Publish date : June 2010 Given the importance placed today on emails as a means of

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management This guide will show you how a properly implemented and managed SIEM solution can solve

Five reasons SecureData should manage your web application security Introduction: The business critical web From online sales to customer self-service portals, web applications are now crucial to doing

RSA Encryption and Key Management Suite The threat of experiencing a data breach has never been greater. According to the Identity Theft Resource Center, since the beginning of 2008, the personal information

Version 1.0, April 2012 Aim 1. This document presents an assessment model for selecting software, including open source software, for use across Government, and the wider UK public sector. 2. It is presented

Protecting Your Data On The Network, Cloud And Virtual Servers How SafeGuard Encryption can secure your files everywhere The workplace is never static. Developments include the widespread use of public

Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ 0844 586 0040 intouch@digitalpathways.co.uk Security Services Menu has a full range of Security Services, some of which are also offered as a fully

External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

How Cloud Computing Can Accelerate Endpoint Encryption: Managing Self-Encrypting Drives in the Cloud Executive Summary Cloud computing is transforming IT for businesses of all sizes, but not without significant

ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

Simple Security Is Better Security How small and medium-sized businesses can benefit from cloud-based security By Tsailing Merrem, Senior Product Marketing Manager Most vendors seem to assume that small

PineApp TM Mail Encryption Solution TM How to keep your outgoing messages fully secured. October 2008 Modern day challenges in E-Mail Security Throughout the years, E-Mail has evolved significantly, emerging

Compliance in the Corporate World How Fax Server Technology Minimizes Compliance Risks Fax and Document Distribution Group November 2009 Abstract Maintaining regulatory compliance is a major business issue

Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge This paper will present a case study of Lumeta s participation in an open

a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

White paper Why Encrypt? Securing email without compromising communications Why Encrypt? There s an old saying that a ship is safe in the harbour, but that s not what ships are for. The same can be said

CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 ObserveIT provides a comprehensive solution for monitoring user activity across the enterprise. The product operates primarily based on

Why Email Encryption is Essential to the Safety of Your Business What We ll Cover Email is Like a Postcard o The Cost of Unsecured Email 5 Steps to Implement Email Encryption o Know Your Compliance Regulations

Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS Traditionally, IT risk management has balanced security investment and the impact of the threat, allowing each business

Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.

In-House Vs. Hosted Email Security 10 Reasons Why Your Email is More Secure in a Hosted Environment Introduction Software as a Service (SaaS) has quickly become the standard delivery model for critical

Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

Overview The protection of information, services and systems relies on a range of technical and procedural activities, often grouped in a framework. The framework will contain technical and logical, physical

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a

NAC at the endpoint: control your network through device compliance Protecting IT networks used to be a straightforward case of encircling computers and servers with a firewall and ensuring that all traffic

White Paper: Cloud Solutions for Continuity 2014, igroup ltd. All rights reserved. INTELLECTUAL PROPERTY DISCLAIMER This white paper is for informational purposes only and is provided as is with no warranties

Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or